Preview

06 - SQL Injection

 1. Read the text on the image below. Let's start at the beginning - what is SQL?
sqlinjection_question1.png

  Simplified Question Lingo

  Structured Query Language

  Sentient Quotient Lizard

  Samsung Quip Language

 2. What is SQL used for?

  used to structure questions and post them on the internet

  used by hackers, and only by hackers

  used for creating games

  used in programming and designed for managing data held in a relational database management system (e.g. one linked to a website)

 3. A large number of online websites that have a database driven features (e.g. have customer's signing up) will use SQL databases
sqlinjection_question3.png

  FALSE

  TRUE

 4. Here is an example of an SQL statement. It is selecting the fields firstname and lastname from a table…..
sqlinjection_question4.gif

  ….called tblLondon where all staff are located

  ….that is called the "London Office"

  …..called tblStaff for only the staff who are in the London Office

  There are no tables being referred to in this code

 5. Which of the following statements about the SQL injection is true?
1 .SQL injection is a code injection technique that might destroy your database.

2. SQL injection is one of the most common web hacking techniques.

3. SQL injection is the placement of malicious code in SQL statements, via web page input.

  Only 1 is true

  None of them are true

  They are all true

  Only 1 and 3 are true

 6. SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id ….

  The user uses physical ink to inject and corrupt your database

   the user gives you an SQL statement that you will unknowingly run on your database.

  The user uses python programming code to hack into your mysql database

  The user enters the phrase "sql injection" into the field, which will delete your database

 7. Analyse the code below. The original/intended purpose of the code was to …
sqlinjection_question7.png

  create an SQL statement that prevents a hacker

  create an SQL statement that allows zero input

  create a text input box

  create an SQL statement to select a user, with a given user id.

 8. Why would or could this be dangerous?
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "sly" input like shown in the image. The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
sqlinjection_question8.png

  The "Users" table could be instantly deleted

  This could never be dangerous

  The "Users" table could inject the hacker's own machine in a reverse attack

  The "Users" table could contain names and passwords that the hacker may then see.

 9. An example of an SQL injection is: A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field.

  TRUE

  FALSE

 10. Read through the example below. Why could this be dangerous?
sqlinjection_question10.png

  because the SQL would be invalid and would do nothing

  because the SQL would cause the entire contents of the database to be corrupted

  because the SQL would be valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.

  because the SQL has entered rubbish, and the integrity of the database data will be affected.

 11. Select which SQL statement will do what the description says.
Most databases support batched SQL statement.
A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.
The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

  SELECT * FROM Users; DROP TABLE Suppliers

  * FROM Users; DROP TABLE 

  SELECT FROM All; DROP TABLE Suppliers

  SELECT * FROM; DO TABLE Suppliers

 12. Analyse the image and what is happening below. What would the resulting SQL statement be?
sqlinjection_question12.png

  DROP TABLE Suppliers;

  SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

  SELECT * FROM Users WHERE UserId = 105;

  SELECT * FROM Suppliers WHERE UserId = 105; DROP TABLE Users;

 13. To protect a web site from SQL injection, you can use SQL _______________

  parentheses

  parameters

  prolife

  prayers

 14. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

  FALSE

  TRUE

 15. True or False
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

  TRUE

  FALSE

 16. SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project.

  TRUE

  FALSE

 17. Blind SQL Injection is used when a web application is vulnerable to an SQL injection and the results of the injection are wholly visible to the attacker

  TRUE

  FALSE

 18. In 2015, an SQL injection attack stole the personal details of 156,959 customers from British telecommunications company TalkTalk's servers

  FALSE

  TRUE

 19. In 2009, the US Department of Justice charged an American, Albert Gonzalez, and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack
sqlinjection_question19.png

  False

  True

 20. Put simply, an SQL injection is when a user tries to use …..
*Note: the simple answer for how to prevent an SQL injection is: The server side code must carefully validate the input information before the SQL request is formed. (e.g. the username and password may only be a certain length or would not allow spaces etc.)

  blank spaces to delete the database

  extra SQL commands into the input boxes, hoping these commands will be carried out by the server

  sql code to damage the website

  extra SQL commands that are typed directly into the server's database to corrupt it